By Lucas Amodio, C|EH, Armstrong Teasdale
On Friday, October 21, hackers attacked Dyn, a company that hosts domain name systems. The massive distributed denial of service (DDoS) attack caused outages at multiple websites and online services, such as Twitter, Netflix, Spotify, and Airbnb.
How the Hack Happened
A broad range of services and people were affected because hackers zeroed in on a critical part of the Internet’s structure. In fact, some news sources are calling it the biggest cyberattack in U.S. history. Because it isn’t likely to be the last we hear from the hackers, employers should understand what just happened and take steps to prepare for similar cyber-challenges in the future.
Dyn is one of the companies that directs Internet traffic. For example, if you type in Google.com, a domain name system (DNS) determines where you want to go, directs you to the correct website, and locates the nearest server that contains the data you’re seeking. By attacking Dyn, hackers overloaded the computer systems that would make that redirection, effectively preventing users from accessing their destination websites. The attack mainly impacted the northeastern United States, but the effects were felt all over the world.
During a DDoS attack, the hacker uses multiple computers simultaneously to send an overwhelming amount of bogus data and/or requests to a target. The bogus data overload the target, preventing it from responding to real requests. These multiple computers may be computers infected with malware that are instructed to make the attacks. The computer owners may not even know that their computers are a part of the attack. While an individual source of bad data can be shut down, the widely distributed nature of the attack makes it much harder to stop.
In Dyn’s case, hackers flooded the domain name service with billions of bits of junk data per second. The junk data overloaded the service and caused it to go down. Dyn then was unable to respond to real requests while the deluge of junk data was hitting it.
Introducing the ‘Internet of Things’
While DDoS attacks are common, one of the interesting things about the October 21 assault was how the hackers did it. They used Internet of Things (IoT) devices – which they compromised with malware – as their attack vector. The devices included Internet-connected cameras, thermostats, DVRs, smart TVs, and other Internet-connected devices you can find in most businesses and homes. At the appointed hour, the hackers instructed the devices to transmit the junk data to the target. Potentially, tens of millions of devices transmitted the junk data in what might have been the largest attack so far.
The IoT devices were easy pickings for the hackers because they usually don’t have much in the way of security. While your average personal computer has antivirus and antimalware software, your average IoT device does not. Many IoT devices lack strong encryption and password security. While we receive Windows updates for security on an almost weekly basis, many IoT devices aren’t updated or don’t even have a way to update. Some IoT devices come with default passwords. If the user didn’t change them, then the door is completely open as those default passwords are widely known in the hacking world.
In response to the use of IoT devices in the attack, Chinese firm Hangzhou Xiongmai Technology will be recalling some of its products that were determined to be insecure. The company is providing patches to users who bought products made before April 2015. However, even this is just a Band-Aid. How many users are actually going to install the patch?
Five Questions Employers Should Ask
As more and more devices are making their way into homes and businesses, they are going to provide hackers with new, easy platforms for launching attacks like the one we saw on October 21. So what can you do to make sure you’re safe from these attacks in the future? As always, be prepared. When major attacks like this happen, I like to remind people to have their plans in place and answer these questions:
- What will you do if your site or service goes down?
- Do you have all of your important data backed up?
- How important is it for you to be online all of the time?
- There are companies and services out there that provide DDoS protection–would it be cost-effective for you to use their services?
- And don’t forget to ask key vendors and partners about the security of their systems and how an attack on the might have a domino effect on you.
Being prepared is always the best plan. After all, it’s not IF, but WHEN an attack will happen to you.
Lucas Amodio is an attorney with Armstrong Teasdale in St. Louis and a certified ethical hacker. He will be talking about the Internet of Things and HR’s role in responding to breaches during the Advanced Employment Issues Symposium in Las Vegas on Friday, November 11. To register for the conference, go to www.aeisonline.com. You can reach Amodio at lamodio@armstrongteasdale.com or find him on Twitter at @DarthAttorney.